Well, I wud suggest u sth different. Post analysis, mark the rules for windows related events and for linux related events. Ensure that the severity of these rules are different.. Now using the granular email method and using the <level> tab in email alerting, u can send all the events w.r.t one level to windows and of the other to linux. Have already implemented the same in my environment.
Regards Tanishk Lakhaani Sent from BlackBerry® on Airtel -----Original Message----- From: "Nate Woodward" <[email protected]> Sender: [email protected] Date: Wed, 2 Mar 2011 11:45:53 To: ossec-list<[email protected]> Reply-To: [email protected] Subject: [ossec-list] Linux group? I'd like use the method described at http://www.ossec.net/wiki/Know_How:GranularEmail to send windows-related messages to one group of people and linux-related messages to another group. I see that there's a 'windows' group already, so that I can just put this in ossec.conf: <email_alerts> <email_to>[email protected]</email_to> <group>windows</group> </email_alerts> It doesn't look like there's an equivalent group for linux. Could one be created by doing something like the following in local_rules.xml? <group name="linux"> <group>linuxkernel</group> <group>syslog</group> <group>ftpd</group> <!-- etc... --> </group>
